NIST Privacy Framework : Our Essential Data Protection Guide


Data Protection Must be the Number One Enterprise Focus in 2019

What is data protection?

Data protection is the process of keeping information safe from loss, corruption, and hacking. Every single business or organization in 2019 has sensitive data they wouldn’t want to land in the wrong hands. From personal company information like business plans and employee data to consumer information like names, social security number and credit card numbers, keeping this sensitive data protected is of vital importance.

Over the years there have been various data protection acts implemented throughout the world. In a world where technology is constantly evolving and advancing the ways of processing and protecting data must evolve as well. Aside from wanting to protect your website, your company, your trade secrets, you also need to think about protecting the sensitive data of your consumer.

Data protection rules and legislation is changing, and we must adapt and change with it. From general data, to personal data, we need to have policies in place to protect information accordingly.

Sensitive data protection continues to gain priority for many enterprises, especially from the C-suite perspective. The rise of privacy regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have increased the urgency to manage sensitive data — and to a greater extent, all data.

Headlines in 2018 trumpeted major hacks and data breaches impacting millions of customers and smearing the names of several multinational corporations. From Facebook to Google and most recently Marriott, it is clear that in today’s world even the largest corporations aren’t safe from significant data security vulnerabilities.

Data protection in 2019 and beyond can no longer be shrugged off as an “IT” problem. It is critical today to address data protection and strategically implement it from the top down in every enterprise. As recent news events have shown us, in the event of a data breach, the hammer comes down on the top leadership for failing to properly monitor and protect their customers’ sensitive data.

Once the damage is done, organizations struggle with challenges around customer retention and paying penalties incurred. According to a recent Forbes article, Marriott will likely have to pay roughly $3.5 billion in fines for the recent breach. That number could reach $8.8 billion if it is discovered that there was no instant notification of the issue to the supervisory authority. When you look at a number like this you should be asking yourself what data protection policy do you have in place? Are you following data protection law?

Organizations are held accountable, not only at the time of a compromising incident, but also through increasingly stringent data privacy and protection regulations.

Now, companies must know exactly where their data resides in order to protect it. They need to identify where sensitive data exists, including within unstructured data, and provide visibility and management of that data’s movement to the appropriate party at the respective enterprise.

In order to effectively protect and monitor data at all levels in an organization, it is absolutely critical that you take the time to accurately identify and classify all of your data to start the process. By choosing to ignore these steps as you start your data protection plan, you are subjecting yourself to failure before you have even truly begun taking action. If you don’t know where your data exists currently, how are you supposed to go about protecting it?

These initial steps will not only make for a more successful data protection program but will position your organization ahead of forthcoming regulations and laws. Classification helps you identify which data is truly sensitive, which helps alleviate most of the security and compliance concerns for an organization.

While the existing data protection and cybersecurity world is already extremely complex, the implementation of regulations such as GDPR in the EU, and in New York the NYCRR 500 for financial services, not to mention CCPA in California all add new challenges for enterprises. Many other states are following suit — including Ohio, Colorado, Nebraska, Nebraska, South Carolina, Vermont, Iowa, Alaska, Arizona, Louisiana, South Dakota, Oregon. Governments worldwide are responding at multiple levels to consumers’ concerns and are increasingly adding accountability and penalties for organizations — with the hope that these measures decrease risk and protect consumers.

For enterprises moving forward, this means that data protection will no longer be brushed under the rug and be seen solely as an IT department issue. Data protection is now at the front of every consumer’s mind as well as a priority for governments around the world. Now, as the sophistication of data breaches and attacks escalate, the expectation from customers and governments will be that enterprises can adapt to evolving threats and continue to protect their sensitive data in any circumstance.

As that expectation continues to grow along with increased regulations, enterprises will either sink or swim when it comes to data protection. Those who fail to adapt and implement a proper data protection and classification system, could be under attack this very moment, and may very well be the face of the next major data breach scandal and not even know it.
This past year has demonstrated just how devastating these hacks and data breaches can be both financially and for an enterprise’s brand reputation. This is the year we must learn from past mistakes and take data protection as seriously as any other aspect of an organization. Data protection must be the number one focus in 2019 for enterprises.
In general, there are some rules you should follow in 2019 as data processors:

  • Security – all data processed and collected through your enterprise should be handled with security at the forefront of your mind.
  • Accuracy – all of your stored data should be accurate and corrected if it is found inaccurate.
  • Holding – you should not be keeping personal information of any kind any longer than necessary. If you have been holding information you no longer need, you should dispose of it properly.
  • Transparency – when you are working with data collected you should do so while being transparent about the reasons you need it. If you do not need it, do not collect it.
  • Necessary – you should not process any unnecessary information from a consumer or employee, especially without their consent.

In 2019 many things we do require that some sort of data is collected. From applying for a new job, making an online purchase, signing up for a distribution list, etc. Our information is constantly being uploaded into a system. Protecting the rights and freedoms of consumers and business owners alike is a top priority. Especially as service providers we should collect information with protection law, the data subject, the data controller, and personal data protection in mind.

Learn more about our data protection solutions

At Spirion we can help you with general data protection, understanding data protection regulations and in knowing what your legal obligations for privacy purposes are.